---------- From: Black Unicorn[SMTP:unicorn@schloss.li]
At some point I will probably begin keeping logs that expire after a period of several hours, so that I can identify and block spammers. I'm interested in your thoughts on this, Uni. Is the defense "I never retain logs longer than 2 hours; they are automatically deleted out of disk space considerations" as string as the first one? (This is how many remailers are configured. But even if the remailers all kept logs, if users are chaining their messages through multiple remailers, anonymity should still be preserved.)
See my (huge) posting on this, but I would suspect that this isn't great. Were I operating one, which I am admittedly not, I'd want there to be no data of evidentiary value ever hitting my memory or media. To some degree that's not possible. In the alternative, actually _disabling_ logging is the best policy, in my view. The evidence never existed in the first place then. It suddenly becomes a challenge to show some kind of conspiracy on your part since the actual spoliation claim is harder to make. Showing conspiracy for anything with respect to either probably starts hard and gets marginally less hard in this order:
a) A middle remailer in a multiple chain that knows nothing (little) about original sender, content or recipient. [...] b) A back end remailer in a multiple chain that knows nothing (little) about content or original sender. [...] c) A front end remailer in a multiple chain that knows nothing (little) about content or recipient. [...] d) A "one hop" remailer. [...]
You're forgetting e) A remailer which silently ignores (and deletes) all mail which is not still encrypted after the remailer's decryption key is applied. (Complaints from Choate that I don't show how to distinguish encrypted vs cleartext mail with 100% accuracy will be silently ignored (and deleted).) This protects the remailer operator from: (1) having any knowledge of the ultimate destination of the mail, since there is a good possibility that the next email address is just another remailer. (2) having any knowledge of the content of the email, since it is still encrypted. Thus, a remailer operator in Afghanistan doesn't knowingly pass on copies of 'The Satanic Verses'. (3) passing on 99.9999% of spam. Spammers do not use encrypted mail - it requires far too much per-message processing, in terms of obtaining public keys, constructing nested encrypted messages, etc. And yes, BU's point about not generating logs at all is well taken - I've not looked at remailer software, but commenting out a few lines should take care of this. If I ran one, I might consider keeping aggregate data (# of messages/week, MB/week), but I can't see anything useful I'd do with individual message data. This ties into the discussion about headless, disposable remailers - many of the discussed designs have no mass storage to speak of, so of course they would not keep logs. Peter Trei